Presentation is loading. Please wait.

Presentation is loading. Please wait.

Embry-Riddle Aeronautical University Prescott, Arizona

Similar presentations


Presentation on theme: "Embry-Riddle Aeronautical University Prescott, Arizona"— Presentation transcript:

1 Embry-Riddle Aeronautical University Prescott, Arizona
Explaining the Buffer Overflow Problem: Instructional Design and Evaluation in Information Security Education Embry-Riddle Aeronautical University Prescott, Arizona

2 Grant Overview (**Author)
NSF Federal Cyber Service “Scholarships for Service” Institutional Capacity-building Award No College of Engineering ** Dr. Susan L. Gerhart Dr. Matthew S. Jaffe Dr. Paul Hriljac Science, Technology, Globalization Program Dr. Richard Bloom Consultants ** Dr. Jan G. Hogle (Ed. Tech.) ** Jedidiah Crandall (Student) Science, Technology, and Glob

3 Grant Overview Goals interactive modules for undergraduate curricula
The Buffer Overflow problem Cryptography Interdependent Security Dimensions Personnel Screening Increased Student Interest in Security, possible degree program Dissemination to other universities

4 Buffer Overflow Module: The Problem
Buffer Overflow: When data is written outside the bounds of its allocated memory Vulnerabilities: Attacker can “hijack” program execution overwrite security-sensitive data in memory cause a program crash leading to Denial-of-Service or a core dump of security-sensitive data

5 Buffer Overflow Module: Motivation
Pervasive and costly “public enemy #1” >½ CERT alerts Improve software engineering practice Hook for introducing security in several courses Good application for interactive educational technology

6 Buffer Overflow Module: Approach
Demo: Simulated abstract machine (Java Applets) Instructional Methodology: Audiences: Programmer, Tester, Journalist, IT Manager Goals/objectives: What to learn, how to measure learning Evaluation: Interviews, questionnaires, quizzes, …

7 Buffer Overflow Module: Interactive Educational Package
Stand-alone Authorware + Website Explanations of Attacks and Defenses Demo Applets and Instructor Guide Links, Code Red case study Quiz and Scavenger Hunt Courses: Programming, languages, operating systems, software engineering, security Requires: 30 min. to demo + prerequisite introduction + depth (depends on course) Results: Rapid learning, high impact presentation, learner engagement, retention

8 Demo http://nsfsecurity.pr.erau.edu/bom
Stacks How a typical C compiler uses run-time stacks Spock How security-sensitive data can be overwritten Smasher How program execution can be diverted away from the normal program execution path StackGuard How one particular defense against stack smashing works

9 Evaluation Needs Analysis Matrix Formative Evaluation
Pre-quiz: memory, C, SE practice Post (interview, questionnaire): New? Understandable? Useful? Suggestions: color change, spock? Website traffic high 33,000 page views since Aug. 2002 Average 25 visitors/day, 4 pages/visitor >50% international

10 Lessons Learned Carefully defining audience paid off
“Interactivation” is hard! Professors aren’t comfortable, students are natural Must abstract from processes, like B.O. Quizzes, scavenger hunts easy and fun What’s learning? What’s gratuitous Hard to obtain feedback – forms hated


Download ppt "Embry-Riddle Aeronautical University Prescott, Arizona"

Similar presentations


Ads by Google